Solved: ASA reports asymmetric NAT for VPN client outside NAT

tgrundbacher · ‎08-27-2010

I'm starting to become desperate on this one...

I have an ASA running 8.2(3) code where IPSec VPN client profiles are configured. The requirement is that the VPN client source IP's must be translated when they want to reach Server 10.237.214.151 on interface 'Swisscom' (the server is some hops away).

VPN pool range: 192.168.44.0 /24.

Translated IP for VPN pool range: 10.25.125.9 /32.

I've set up outside NAT on the outside interface and the respective global on the Swisscom interface, yet the ASA complains about asymmetric translation:

"Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.44.3/3183 dst Swisscom:10.237.214.151/21 denied due to NAT reverse path failure"

Am I missing something? I suspect that the ASA won't match the translated IP for the return traffic and expects a match for the real IP of the VPN pool, even though outside NAT should be working...

Help is very much appreciated!!

Regards

Toni

Here's a part of the relevant config:

ASA Version 8.2(3)
!
hostname iconfw
names
name 172.20.66.0 icon_network
name 10.49.28.0 infnet_10.49.28.0
name 10.50.242.0 infnet_10.50.242.0
name 10.50.244.0 infnet_10.50.244.0
name 172.20.66.22 offside-server
name 172.20.66.10 sun1
name 172.20.66.20 syslog-server
name 192.168.44.0 vpn-clients
name 10.49.49.0 infnet_10.49.49.0 description Hanspeters PC
name 10.50.65.0 infnet_10.50.65.0 description Hanspeter Poststrasse
name 172.20.66.8 SVN description SVN Server
name 10.57.0.0 infnet_10.57.0.0 description DHCP Bereich von Hampi-Laptop
name 10.58.0.0 infnet_10.58.0.0 description Hanspeter Laptop
name 10.237.0.0 infnet_10.237.0.0 description New NOVIS-DBs
name 192.168.45.0 test_net
name 10.25.125.3 nat_sun4_server
name 10.25.125.4 nat_svn_server
name 10.25.125.5 nat_vss_server
name 172.20.66.6 sun4
!
interface Ethernet0/0
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.66.1 255.255.255.224
!
interface Ethernet0/2
nameif Infnet
security-level 80
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/3
nameif Swisscom
security-level 50
ip address 10.25.125.2 255.255.255.240
!
object-group network Infnet_all_networks
network-object infnet_10.50.242.0 255.255.255.0
network-object infnet_10.50.244.0 255.255.255.0
network-object infnet_10.49.49.0 255.255.255.0
network-object infnet_10.50.65.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object infnet_10.49.28.0 255.255.255.0
network-object infnet_10.58.0.0 255.255.0.0
network-object infnet_10.57.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Swisscom_gin
network-object host 10.237.214.151
network-object host 10.237.46.151
network-object host 10.237.46.51
object-group service DM_INLINE_TCP_1 tcp
port-object eq sqlnet
port-object eq ssh
access-list inside_access_in extended permit udp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8080
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq rtsp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7070
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq smtp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq pop3
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq www
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7670
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq nntp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8443
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq https
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ssh
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ftp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 993
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 995
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 465
access-list inside_access_in extended permit icmp icon_network 255.255.255.224 any
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list inside_access_in extended deny ip any any
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq 8890
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq www
access-list Infnet_access_in extended permit icmp object-group Infnet_all_networks host offside-server
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq www
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq https
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host sun1 eq sqlnet
access-list Infnet_access_in extended deny ip any any
access-list outside_access_in remark from home to new swisscom
access-list outside_access_in extended permit tcp vpn-clients 255.255.255.0 infnet_10.237.0.0 255.255.0.0 object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny ip any any
access-list nonat-inside extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list nonat-inside extended permit ip icon_network 255.255.255.224 vpn-clients 255.255.255.0
access-list outside_nat_outbound extended permit ip vpn-clients 255.255.255.0 object-group Infnet_all_networks
access-list Infnet_nat0_outbound extended permit ip any any
access-list management_access_in extended deny ip any any
access-list inside_nat_outbound extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_sun4_server eq sqlnet
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_vss_server eq 8890
access-list vpn_nat_Swisscom extended permit ip vpn-clients 255.255.255.0 object-group Swisscom_gin
ip local pool vpn-clients 192.168.44.1-192.168.44.254 mask 255.255.255.0
nat-control
global (outside) 1 interface
global (Infnet) 2 172.20.66.7 netmask 255.255.0.0
global (Swisscom) 3 interface
global (Swisscom) 4 10.25.125.9 netmask 255.255.255.255
nat (outside) 2 access-list outside_nat_outbound outside
nat (inside) 0 access-list nonat-inside
nat (inside) 3 access-list inside_nat_outbound
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat (inside) 1 icon_network 255.255.255.224
nat (Infnet) 0 access-list Infnet_nat0_outbound
static (inside,Swisscom) nat_sun4_server sun4 netmask 255.255.255.255
static (inside,Swisscom) nat_svn_server SVN netmask 255.255.255.255
static (inside,Swisscom) nat_vss_server offside-server netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Infnet_access_in in interface Infnet
access-group Swisscom_access_in in interface Swisscom
access-group management_access_in in interface management
route Infnet infnet_10.49.28.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.49.49.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.65.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.242.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.244.0 255.255.255.0 192.168.1.1 1
route Swisscom 10.237.46.51 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.46.151 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.214.151 255.255.255.255 10.25.125.1 1

Nagaraja Thanthry · ‎08-29-2010

Hello,

So, we are making progress now :). Now that traffic is going from VPN

clients to Swisscom interface fine, let us put one more rule for the reverse

path:

access-list vpn_nonat_Swisscom permit ip object-group Swisscom_gin

vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list vpn_nonat_Swisscom

This will define the NAT rule for return traffic.

Hope this fixes the issue.

Regards,

NT

View solution in original post

praprama · ‎08-27-2010

Hi,

I am not sure why it's giving you that error. hink it's due to nat-control being enabled. Try disabling that. If that does not help, could you run a packet tracer and paste the output?

packet-tracer input outside tcp 192.168.44.3 3183 10.237.214.151 21 detail

Regards,

Prapanch

Kevin Redmon · ‎08-27-2010

One item that will assist others when troubleshooting issues like this based just on the configuration alone is to issue the command 'no names' - this allows all of the access-lists to show the real IP address so we don't have to reference the 'names' alias at the top of the configuration. After you gather the configuration, you can re-enable the aliases via the command 'names'.

After parsing through your configuration, I see that you have 'nat-control' enabled. That implies that all hosts that traverse the ASA (from a high security to lower security level interface) must have an explicit NAT command present. If not, they are not allowed to pass. With that being said, looking at all of the 'nat' commands, I don't see one present for interface 'Swisscom'. Any host on 'Swisscom' does not have a translation present to egress the outside interface. This is likely the cause of the error - you are translating the outside host to the Swisscom interface address, but the reverse flow doesn't have a translation. If you want the hosts on 'Swisscom' to appear as their real IP address on the outside, you can do another 'nat (Swisscom) 0 access-list nonat_Swisscom' statement. If you only want to define NAT on an "exception" basis versus the rule, you can issue the command 'no nat-control'.

The reason why you likely have not had issues with inside hosts is because the inside hosts are going from a high security to a lower security interface - only the high security interface will need the translation.

If this helps, be sure to mark this thread as answered for others benefit.

Have a great weekend,

Kevin

tgrundbacher · ‎08-27-2010

Hi Prapanch and Kevin

Both of your input helped me to get closer to the solution, whereas I've learned some lessons from your input, Kevin. I've learned, that it's required to also add a NAT statement for returning traffic, if the returning traffic is coming from a higher-level security interface. So my configured outside NAT is not enough to achieve bidirectional translation, right?

Thanks also for reminding me to turn of 'names' for troubleshooting purposes. Sorry for that, yet I'll continue to use the names in the ACLs, it's easier for me to organize all the config sniplets I've accumulated so far.

Now I've configured the following lines for return traffic (and I noticed I have to do the matching on the real IPs 192.168.44.0 /24 (= 'vpn-clients') and not 10.25.125.9 /32, otherwise the asymmetric translation errors won't go away):

access-list nonat-Swisscom extended permit ip object-group Swisscom_gin vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list nonat-Swisscom

Also, I've made sure the ACL in the return path will allow the traffic towards the VPN clients:

access-list Swisscom_access_in extended permit ip object-group Swisscom_gin host 10.25.125.9
access-list Swisscom_access_in extended permit ip object-group Swisscom_gin vpn-clients 255.255.255.0

Now the asymmetric translation error has gone away, yet there's still no traffic flowing. I've done a packet-trace with the following options:

packet-tracer input Swisscom tcp 10.237.214.151 21 192.168.44.3 3321 detail

And this is where the packet gets stuck...something seems very fishy here:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat-control
match ip outside vpn-clients 255.255.255.0 Swisscom host 10.237.214.151
    dynamic translation to pool 4 (10.25.125.9)
    translate_hits = 33, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7c8f368, priority=2, domain=nat-reverse, deny=false
        hits=1, user_data=0xd7c8f210, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.237.214.151, mask=255.255.255.255, port=0
        dst ip=vpn-clients, mask=255.255.255.0, port=0, dscp=0x0

I've also temporarily disabled 'ip verify reverse-path interface Swisscom', no success.

What could be wrong this time?

Toni

praprama · ‎08-27-2010

Hey,

The issue i think is because you have now configured the NAT exemption using the nat (Swisscom) 0 access-list nonat-Swisscom

This basically says there is not going to be any NAT involved for traffic from the 10.237.214.151 server to the VPN clients and vice versa. But in fact, you want to PAT the VPN client IP addresses. Instead of having a nat exemption, please try adding the below:

static (Swisscom,outside) Swisscom_gin access-list nonat-Swisscom

You can choose to change the name of the access-list to be more relevant. This does almost the same thing as NAT exemption. Let me know if this helps.

Another option you have is to remove the NAT exemption and disable "nat-control".

Regards,

Prapanch

praprama · ‎08-27-2010

Hey just realized that if you use the static command it is going to give you an error.

So, here is the command you will need.

access-list Swisscom-VPN permit ip host 10.237.214.151 vpn-clients 255.255.255.0

static (Swisscom,outside) 10.237.214.151 access-list Swisscom-VPN

try adding this instead of the NAT exemptions and see if it helps.

Regards,

Prapanch

tgrundbacher · ‎08-28-2010

Hi Prapanch

Thanks for your input. So I've removed the nat (Swisscom) 0 access-list nonat-Swisscom and added the static with an ACL as you've proposed.

No success either. This is what packet-tracer tells me now:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat-control
match ip outside vpn-clients 255.255.255.0 Swisscom host 10.237.214.151
    dynamic translation to pool 4 (10.25.125.9)
    translate_hits = 40, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7c8f368, priority=2, domain=nat-reverse, deny=false
        hits=2, user_data=0xd7c8f210, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.237.214.151, mask=255.255.255.255, port=0
        dst ip=vpn-clients, mask=255.255.255.0, port=0, dscp=0x0

When I change the ACL of the static to:

access-list Swisscom-VPN extended permit ip host 10.237.214.151 host 10.25.125.9

it doesn't help either, and the packet-tracer stops here:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (Swisscom) 0 0.0.0.0 0.0.0.0
nat-control
match ip Swisscom any outside any
    no translation group, implicit deny
    policy_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7c6b2e0, priority=0, domain=nat, deny=false
        hits=2, user_data=0xd7c6b220, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

As I don't want to bore you guys any further: Do you know whether this scenario is supported by an ASA at all? For me, there's only two possibilities: Either I'm running into a bug, or the ASA won't allow you to source NAT a VPN pool to a different address, or, expressed differently: there's no possibility to do it bidirectionally.

What do you guys think? Am I going to be successful if I open a TAC case? I'm out of ideas now.

Thank you so far, anyway.

Toni

praprama · ‎08-28-2010

Hey,

I am not sure why you are getting the NAT drop in nat (Swisscom) 0 0.0.0.0 0.0.0.0.

Do you have such a command entered in the first place? Have you tried disabling nat-control to see if that helps?

But yeah go ahead and open up a TAC case. I am sure you will get it resolved much faster that way. I am sure this requirement is still supported. We are just not able to get hold of the problem with the information we have currently.

Regards,

Prapanch

tgrundbacher · ‎08-28-2010

Hi again

I haven't used a NAT exemption on the Swisscom interface, that's why I'm so confused about it. There's no 'nat (Swisscom) 0 0 0' statement in the config.

No, I haven't removed 'nat-control' as this is a productive customer device and I don't want to risk any troubles without being in a maintenance window.

Thanks for your support so far; in case you came across a solution, please let me know.

Regards

Toni

Nagaraja Thanthry · ‎08-28-2010

Hello,

The reason you are getting RPF check on that line is because, even though

you are terminating VPN traffic on the outside interface, VPN clients are

treated as internal hosts (belonging to inside network). Can you remove "nat

(outside) 4 access-list vpn_nat_Swisscom outside" and enter "nat (inside) 4

access-list vpn_nat_Swisscom"?

Hope this helps.

Regards,

NT

tgrundbacher · ‎08-29-2010

Hi Nagaraja

As requested, I've changed the outside NAT to a inside NAT for the VPN pool:

access-list vpn_nat_Swisscom extended permit ip vpn-clients 255.255.255.0 object-group Swisscom_gin

nat (inside) 4 access-list vpn_nat_Swisscom

No remedy so far, see the packet-tracer output:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (Swisscom) 0 0.0.0.0 0.0.0.0
nat-control
match ip Swisscom any outside any
    no translation group, implicit deny
    policy_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7c6b2e0, priority=0, domain=nat, deny=false
        hits=3, user_data=0xd7c6b220, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Swisscom
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The interesting thing is, there is not 'nat (Swisscom) 0' rule configured!

Nagaraja Thanthry · ‎08-29-2010

Hello,

So, we are making progress now :). Now that traffic is going from VPN

clients to Swisscom interface fine, let us put one more rule for the reverse

path:

access-list vpn_nonat_Swisscom permit ip object-group Swisscom_gin

vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list vpn_nonat_Swisscom

This will define the NAT rule for return traffic.

Hope this fixes the issue.

Regards,

NT

tgrundbacher · ‎08-29-2010

Hi Nagaraja

Now this is interesting, this has changed now:

1.) Packet-tracer reports that the return traffic is allowed! -> see attached file.

2.) There's no xlate entry while trying to send packets to the destination server 10.237.214.151. (Compared to when I source NAT the VPN pool from the outside interface instead of the inside.)

3.) Still, I can't get any traffic through, capture reports zero bytes back and forth:

iconfw(config)# sh capture
capture test type raw-data access-list test interface Swisscom [Capturing - 0 bytes]

4.) ASDM reports that the VPN client has issued a Ping - from outside! This is the only log message appearing:

"IDS:2004 ICMP echo request from 192.168.44.2 to 10.237.214.151 on interface outside"

Please see the current config excerpt attached.

Nagaraja Thanthry · ‎08-29-2010

Hello,

Can you run the following packet tracer:

packet-tracer input outside tcp 192.168.44.2 3321 10.237.214.151 21 det

Regards,

NT

praprama · ‎08-28-2010

Hey Toni,

Hmmm. Could you just paste the configuration you have currently along with the output of "show crypto ipsec sa" and

"show xlate det | in " when trying to pass traffic from the VPN client to the DMZ server alone? I ll look through it again and see if i can find something from it or try few things out on my side if possible.

Regards,

Prapanch